Since
last one year from the induction of Indirect tax, professionals in UAE have
earned several badges for successful VAT registration, Implementation, Lodging
of VAT returns, Payments & refunds. Some are done with VAT Audit, some are
planning for appeal while others are on Que...
But what's next for tax function? .. is this
the limit of their role?
What
about Risk identified during the whole process?
Were
those Risks managed?
Is
there a Risk control strategy?
Nature
of businesses are dynamic and keep changing, to gauge what challenges the
future may hold. It is vital to have systematic framework to ensure that
significant VAT risks are identified & managed.
VAT is not just simply cost neutral “a cash in and cash out” scenario. Errors in VAT calculations create not only financial risk but it can be devastating for company reputation.
VAT function have prime responsibility for the management risk –ensuring that the right skilled people and appropriate processes & procedures are in place to manage VAT Risk.
What are VAT Risks? Where have you identified them?
"Tax risk is the likelihood that tax outcome differs from what is expected, due to a variety of reasons, for example, the judicial process, changes in the law, changes in business assumptions, an increased intensity of audits, and uncertainty in the interpretation of the law" Arlinghaus (1998)
How to control these Risks?
In
1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control Integrated Framework. It is recognized as a leading framework for
designing, implementing, and conducting internal control and
assessing the effectiveness of internal control . The framework is being used
on a global basis and is used for VAT Risk Management.
Framework
sets three objectives and five components with 17 principles.
How to correlate COSO Objectives with VAT Risk Management?
COSO Framework three objectives, operations, reporting and compliance can be correlated to our identified VAT Risk as follows;
What does each COSO component mean in terms of VAT risk management?
COSO Framework five inter-related components and 17 principles supports an organization to achieve its three objectives as follows;
Control environment is the foundation for all the other components of internal control. Main key players are Board and senior management, through policy and objectives, set culture & tone, how VAT risks are controlled in the organization and sets accountability for ongoing monitoring.
"VAT function" is responsible for managing the actions and activities that create VAT risk, assist senior management to understand and set "VAT risk appetite" (how much risk they are willing to take), and manage the VAT risk profile to remain within this appetite.
VAT functional head is responsible to formally drafting "VAT risk management policy" and Board is responsible to approve it formally, although in practice it is likely to be CFO or the CEO who would take ownership of it. Once approved, the policy should be communicated to those responsible for the implementation of the policy and to other interested stakeholders such as the audit committee and the chief risk officer.
Second component is VAT Risk assessment, the awareness and response of an organization to different types of VAT risk it faces. Organization needs to establish "processes & procedures" to identify, evaluate and manage VAT risks.
- VAT risk identification: Risks could arise from changes in VAT laws & regulations or from changes in the business on going day-to-day activities. First step is to identify the type of VAT risk i.e., Operational, Compliance or financial accounting Risk.
- VAT Risk Analysis : Having identified the VAT risks the second part of the risk assessment phase is to consider the potential VAT impact & likelihood of risks of the underlying event occurring which needs to be to be ranked and prioritized. Various qualitative and quantitative techniques are used for quantification of risk.
- VAT Risk Response: Once the potential significance of Risk has been assessed consideration is given how the VAT risk should be managed and whether to accept, avoid, reduce or share the risk.
Third component are VAT Control activities these are "Policies and Procedures", built into to the day-to-day operations of the business ,and responsibility of activities are assigned to responsible persons to ensure achievement of organization’s VAT risk objectives.
Various Transaction control activities are used to mitigate VAT risks such as authorizations and approvals, verification, reconciliations, reviews and segregation of duties.
Technology risks control are built to supports not only completeness & accuracy of information processing , but also timely identification of changes in VAT laws, regulations and decisions and should be both preventative and detective.
Fourth component is the Information and communication, it is a continual, iterative process & supports other four components by providing, sharing and obtaining necessary information that ensures the VAT risks are documented communicated to the relevant people for action.
Various Communication are used such as dashboards, formal and informal emails, memorandum, website or documents on intranet site, policies and procedures. This component ensures that all VAT risks which are identified, quantified and control are designed to manage those risks are documented and communicated across the organization.
Fifth component is Monitoring, these activities assess whether each of the five components of internal control and relevant principles are present and functioning.
Here "Internal Audit Function" is the main player and performs monitoring to assess the effectiveness of the operating of the internal controls over VAT risks and uses evaluations techniques “ongoing or separate evaluations” or combination of both.
These evaluations identify and allow remedial action to be taken where controls are not operating effectively and "early identification of deficiencies" where new risks are not being properly managed. It facilitates the internal control system to be responsive to changing conditions both within and from outside the organization.
You can never protect yourself 100%. What you do
is protect yourself as much as possible and mitigate risk to an acceptable
degree. You can never remove all risk.
Disclaimer: This article expresses the opinion of author, readers are free to express their differences and are advised to exercise their discretion.
Informative post. Audit, accounting and taxation are life line on any business
ReplyDelete